CWE-614 Insecure Cookie in HTTPS Session
Coverage: 8 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 7Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged session cookies that are missing secure attributes (like Secure, HttpOnly, and a safe SameSite) even though the session is used over HTTPS.
Why it matters
- Missing cookie flags can lead to session theft and cross-site request abuse.
- A stolen session cookie can mean full account takeover until the session expires or is revoked.
Safer examples
1) Set Secure, HttpOnly, and SameSite
res.cookie("session", token, {
httpOnly: true,
secure: true,
sameSite: "lax",
});
2) Rotate sessions on login and privilege changes
If a session is stolen, rotation reduces the window and prevents fixation.
3) Prefer short sessions + revocation
Give users/admins the ability to revoke sessions, and use reasonable expirations (see TOK01).
How SiteShadow detects it (high level)
- Detects cookie-setting APIs and flags missing
Secure/HttpOnly/SameSite. - Prioritizes cookies that look like session/auth tokens.
References
- CWE-614: https://cwe.mitre.org/data/definitions/614.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.